Cisco SECURE ACCESS
Is Cisco's SSE Solution.
architecture
features
Secure Internet Access
Secures internet access and controls public SaaS applications / cloud service usage across networks and roaming users.
Full proxy/SWG: Provides deep, granular control of web traffic, including flexible policies for selective decryption of encrypted traffic.
Cloud access security broker (CASB): Exposes shadow IT by providing the ability to detect and report on cloud applications in use across your environment to better manage cloud adoption, risk reduction, and the ability to restrict or block apps.
Firewall-as-a-Service (FWaaS): Blocks more by seeing more with deep visibility and control for traffic across all ports and protocols for increased security efficacy
DNS-layer security: Blocks internet requests to malicious and unwanted destinations before a connection is even established — stopping threats over any port or protocol before they reach your network or endpoints.
Remote browser isolation (RBI): Isolates web traffic from the user device and the threat, so that users can safely access risky websites.
Secure malware analytics: Combines advanced sandboxing with threat intelligence in one unified solution to protect organizations from malware.
Cloud malware detection: Detects and removes malware from cloud-based applications and ensures that apps remain malware-free.
Talos Interactive Threat Intelligence
Talos, a leading provider of cutting-edge security research globally, analyzes 100s of billions of DNS requests and other telemetry data daily. It continuously runs AI, statistical, and machine learning models against this massive database to provide insight into cyber threats and improve incident response rates.
Uncover malicious domains, IPs, malware, and URLs before they’re used in attacks.
Prioritize incident investigations.
Speed incident investigations and response.
Predict future attack origins by pinpointing and mapping out attackers’ infrastructures.
DNS Layer Security
A differentiating first line of defense.
Deploy enterprise-wide in minutes.
Block malware, phishing, CNC callbacks—from anywhere.
Prevent or limit visits to nefarious web sites from guest Wi-Fi networks.
Stop threats at the earliest point to reduce triage of alerts.
Accelerate internet access; only proxy risky domains.
Deploy enterprise-wide in minutes.
Multimode DLP
Analyze sensitive data in-line to provide visibility and control over sensitive data leaving your organization.
API-based DLP functionality for out-of-band analysis of data at rest in the cloud.
190+ built-in content classifiers including GDPR, PCI-DSS, HIPAA, PII, and PHI.
Inspection of cloud app and web traffic content and enforcement of data policies.
Detection and reporting on sensitive data usage and drill-down reports to help identify misuse.
Ability to assign DLP policies to AI applications to help users more safely use publicly available AI services like ChatGPT; protecting against IP loss or IP contamination by detecting and blocking risky content.
API-based functionality is supported on the following apps: Box Cloud Storage, ChatGPT, OpenAI ChatGPT API, Concur Invoice, Confluence, DLPTest.com, Dropbox, Facebook Messenger, Gmail, Jira, LinkedIn SlideShare, Monday, PasteBin, SalesForce, ServiceNow, ShareFile, Slack, SmartSheet, WeTransfer, WorkDay HCM, Yahoo Mail.
AMP (Advanced Malware Protection)
Detect hidden attack methods and report on malicious files.
Advanced sandboxing with threat intelligence in one unified solution.
Speed Threat hunting and incident response via single, correlated source of intelligence.
API’s to enrich security data and integrate with XDR or commonly used SIEMs.
Access to the full Secure Malware Analytics console.
Single, correlated source of intelligence to speed threat hunting and incident response.
Retrospective notification if file disposition changes (originally good / later deemed malicious).
Sandbox
Execution of malicious files.
Access to the full Secure Malware Analytics console.
Advanced threat intelligence.
Execution of malicious files in a glovebox.
Track file execution actions.
Capture network activity generated by the file.
Isolated testing environment.
RBI (Remote Browser Isolation)
RBI protects users and organizations from browser-based threats.
Shifts the execution of browsing activity from the user to a remote cloud-based virtualized browser instance to protect from Internet threats.
Website code is run separately and only a safe visual stream is delivered to the user.
Fully transparent to the end user.
Isolation of web traffic between user device and browser-based threats.
Rapid deployment without changing existing browser configuration.
Delivers secure web browsing with protection from zero-day threats.
Maintains employee productivity by ensuring safe access to risky destinations and protecting high-risk users.
Secure Private Access
Securely protects all private apps, including non-standard ones that may use alternate ports/protocols, be multichannel, peer-to-peer, etc. Seamlessly delivers ZTNA and VPNaaS for the private application access.
App connectors
Provides secure connectivity and simplifies administrative tasks in establishing connectivity to private applications.
VPNAAS (Virtual Private Network as a service)
Simplifies connectivity with no need to select head-end or tunnel type.
Enables remote users to access private applications via the Security Access fabric using the Cisco Secure Client.
Identity-based access control is available using SAML authentication through the customer’s IdP.
Endpoint posture is also evaluated; this enables granular access control to private resources.
Supports granular per application access control.
Replaces a traditional VPN and allows customer to offload operations to cloud service.
Eliminate hardware installation and maintenance.
Boost productivity with user access to all apps/resources.
SAML 2.0 + cert-based authentication.
Posture verification (optional).
IPS
DEM (Digital Experience Monitoring)
Monitor the health and performance of endpoints, applications, and network connectivity.
Key DEM insight examples:
Endpoint performance — CPU, memory, WIFI
Network performance — endpoint to Secure Access
Top 20 SaaS applications performance
User specific events
Optimize user productivity by automatically mining details on the user’s end-to-end experience, enabling the IT/security staff to rapidly resolve issues.
VPN as a service
Simplifies connectivity with no need to select head-end or tunnel type.
Replaces a traditional VPN and allows customer to offload operations to cloud service.
Eliminate hardware installation and maintenance. (No head ends and version upgrades etc)
Supports granular per application access control.
Simplify operations with single console, agent, policy engine
Easily scale with high performance as user base grows.
Identity-based access control is available using SAML authentication through the customer’s IdP.
Endpoint posture is also evaluated;
Integration with Identity Services Engine (ISE) and support for RADIUS authentication.
Functionality examples include: Use case support (split tunneling and tunnel all support, peer-to-peer communication, trusted network detection, BYO certificate, split DNS, dynamic split DNS); multiple authentication methods (SAML, Certificate, Radius); user ease of use (always on VPN, start before logon); IT operation simplification (Local IP Pool, multiple VPN profiles).
Supports a management tunnel that is used to enable users to bring up a VPN tunnel and seamlessly authenticate to on-premises Active Directory when logging into PCs and performing password resets.
Management tunnel can be used by desktop management teams to download software updates to PCs without user VPN login.
ordering guide
Essentials
Secure Internet Access (SIA),
Secure Private Access (SPA),
SWG,
ZTNA, layer 3/4 firewall,
CASB,
RBI (level risky traffic) and more*
NOTE : Minimum QTY 100
Advantage
All capability in the Essential package PLUS
Layer 7 Firewall,
IPS,
DLP,
RBI (level any traffic) and more*
ENHANCED SUPPORT
Cisco Software Support Enhanced is automatically attached to all three license tiers.
Included with Enhanced support is:
Kick-off
Overview and Planning
Deployment Guidance
Ongoing Adoption Support
Periodic Security Optimization Checks
Prioritized access to Multiproduct Expertise in the Solution Support TAC
PREMIUM SUPPORT
Premium Support is an optional upgrade and recommended for customers with complex environments includes:
All Features of Enhanced
Success and service point of contact
Extended 1:1 adoption sessions
Periodic business and operational reviews
Increased support case priority over Enhanced
More details to come around services around migration. Reach out to PM if you have immediate questions.
COMPETITIVE ADVANTAGE
ZScaler
ZPA is not a full replacement for VPN
Three separate dashboards vs one w/Cisco
New agent and vendor
Expensive and misleading initial pricing
Difficult to do business with / “sales arrogance”
Multiple dashboards, bad admin experience, complicated to configure
ZTNA: some apps are not supported
ZPA performance and outages
Requires budget approval before POV
Palo Alto
Weak ZTNA solution
Best for current PAN customers
Complicated, expensive, and rigid licensing model
Complicated, expensive licensing
Multiple management options
Required and expensive data lake
ZTNA security is weak, relying on firewall objects
Not design for new PAN customers
Complicated policy model for non-PAN customers
Netskope
Expensive point product
Private access isn’t replacement for VPN
Complicated admin experience
Expensive
Unified but complicated UI
Lack of VPNaaS
Limited SD-WAN capabilities / needs 3rd party
Point solution vendor
Immature Digital Experience Monitoring
Standard DNS Control & Detail DNS Logging : Advanced recursive DNS is not supported
Flexible connectivity options : Zscalar only supports Resource Connector. IPSEC tunnels are not supported.
DNS Resolver Service, Performance : In Zscalar recursive DNS has additional licensing. Netskope does not support recursive DNS.
Full DNS over HTTPS security coverage : Netskope does not support IPv6 traffic for security inspection.
Digital Experience Monitoring : Additional costs might be involved in case of Netskope & Zscalar.
RESOURCES
https://wiki.saselab.net/integrating-google-workspace-idp-with-secure-access Integrating Google Workspace IDP with Secure Access\
https://learn-cloudsecurity.cisco.com/secure-access-product-tour Guided tour of Cisco Secure Access Dashboard
https://docs.sse.cisco.com/ Cisco Secure Access Help Center
LEARN
By Pass Urls
www.msftconnecttest.com
www.msftncsi.com
SUPPORT
https://supportassistant.cisco.com/ Cisco Support Assistant
https://mycase.cloudapps.cisco.com/start Manage Support Cases
Email: tac@cisco.com